Created attachment 158236 [details] Test file

Chrome stack trace: # # Fatal error in ../../v8/src/handles-inl.h, line 64 # CHECK(location_ != __null) failed # ==== Stack trace ============================================ Security context: 0x32527351 <String[16]: http://localhost> 1: getEventListeners [0x32408091 <undefined>:1049] (this=0x327a649d <a CommandLineAPIImpl>#0#,node=0x427c5889 <an HTMLDivElement>#1#) 5: getEventListeners [native v8natives.js:1597] (this=0x427d6565 <a CommandLineAPI>#2#) 6: arguments adaptor frame: 1->0 7: /* anonymous */ [0x32408091 <undefined>:2] (this=0x3271b25d <JS Global Object>#3#) 8: eval [native v8natives.js:170] (this=0x3271b25d <JS Global Object>#3#,a=0x427d804d <String[122]\: with ((window && window.console && window.console._commandLineAPI) || {}) {\ngetEventListeners(document.body.children[0])\n}>) 9: _evaluateOn [0x32408091 <undefined>:450] (this=0x42708129 <JS Object>#4#,evalFunction=0x32714fe5 <JS Function eval>#5#,object=0x3271b25d <JS Global Object>#3#,objectGroup=0x35812271 <String[7]: console>,expression=0x427d804d <String[122]\: with ((window && window.console && window.console._commandLineAPI) || {}) {\ngetEventListeners(document.body.children[0])\n}>,isEvalOnCallFrame=0x324080c1 <false>,injectCommandLineAPI=0x324080b1 <true>) 10: _evaluateAndWrap [0x32408091 <undefined>:409] (this=0x42708129 <JS Object>#4#,evalFunction=0x32714fe5 <JS Function eval>#5#,object=0x3271b25d <JS Global Object>#3#,expression=0x427d653d <String[44]: getEventListeners(document.body.children[0])>,objectGroup=0x35812271 <String[7]: console>,isEvalOnCallFrame=0x324080c1 <false>,injectCommandLineAPI=0x324080b1 <true>,returnByValue=0x324080c1 <false>) 11: evaluate [0x32408091 <undefined>:345] (this=0x42708129 <JS Object>#4#,expression=0x427d653d <String[44]: getEventListeners(document.body.children[0])>,objectGroup=0x35812271 <String[7]: console>,injectCommandLineAPI=0x324080b1 <true>,returnByValue=0x324080c1 <false>) ==== Details ================================================ [1]: getEventListeners [0x32408091 <undefined>:1049] (this=0x327a649d <a CommandLineAPIImpl>#0#,node=0x427c5889 <an HTMLDivElement>#1#) { // expression stack (top to bottom) [02] : 0x327922f9 <JS Function getEventListeners>#6# [01] : 0x427c5889 <an HTMLDivElement>#1# [00] : 0x427082ad <an InjectedScriptHost>#7# --------- s o u r c e c o d e --------- function (node)? {? return InjectedScriptHost.getEventListeners(node);? } ----------------------------------------- } [5]: getEventListeners [native v8natives.js:1597] (this=0x427d6565 <a CommandLineAPI>#2#) { // stack-allocated locals var arguments = 0x427d84bd <an Arguments>#8# var d = 1 var g = 0x32408091 <undefined> var h = 0x32408091 <undefined> var c = 0x427d84d9 <JS Array[2]>#9# var f = 0x32408091 <undefined> var e = 0x32408091 <undefined> // expression stack (top to bottom) [11] : 1 [10] : 0 [09] : 0x427d84bd <an Arguments>#8# [08] : 0x327a649d <a CommandLineAPIImpl>#0# [07] : 0x327b26f9 <JS Function>#10# --------- s o u r c e c o d e --------- function (){??"use strict";???if(%_IsConstructCall()){?return %NewObjectFromBound(b);?}?var c=%BoundFunctionGetBindings(b);??var d=%_ArgumentsLength();?if(d==0){?return %Apply(c[0],c[1],c,2,c.length-2);?}?if(c.length===2){?return %Apply(c[0],c[1],arguments,0,d);?}?var e=c.length-2;?var f=new InternalArray(e+... ----------------------------------------- } [6]: arguments adaptor frame: 1->0 { // actual arguments [00] : 0x427c5889 <an HTMLDivElement>#1# // not passed to callee } [7]: /* anonymous */ [0x32408091 <undefined>:2] (this=0x3271b25d <JS Global Object>#3#) { // stack-allocated locals var .result = 0x32408091 <undefined> // expression stack (top to bottom) [03] : 0x427c5889 <an HTMLDivElement>#1# [02] : 0x427d6565 <a CommandLineAPI>#2# [01] : 0x427d6f51 <JS Function>#11# --------- s o u r c e c o d e --------- with ((window && window.console && window.console._commandLineAPI) || {}) {?getEventListeners(document.body.children[0])?} ----------------------------------------- } [8]: eval [native v8natives.js:170] (this=0x3271b25d <JS Global Object>#3#,a=0x427d804d <String[122]\: with ((window && window.console && window.console._commandLineAPI) || {}) {\ngetEventListeners(document.body.children[0])\n}>) { // stack-allocated locals var c = 0x324080c1 <false> var d = 0x427d8471 <JS Function>#12# var b = 0x3271b25d <JS Global Object>#3# // expression stack (top to bottom) [03] : 0x3271b25d <JS Global Object>#3# --------- s o u r c e c o d e --------- function eval(a){?if(!(typeof(a)==='string'))return a;??var b=%GlobalReceiver(global);?var c=(global===b);???????if(c){?throw new $EvalError('The "this" value passed to eval must '+?'be the global object from which eval originated');?}??var d=%CompileString(a);?if(!(%_IsFunction(d)))return d;??return %_CallFunct... ----------------------------------------- } [9]: _evaluateOn [0x32408091 <undefined>:450] (this=0x42708129 <JS Object>#4#,evalFunction=0x32714fe5 <JS Function eval>#5#,object=0x3271b25d <JS Global Object>#3#,objectGroup=0x35812271 <String[7]: console>,expression=0x427d804d <String[122]\: with ((window && window.console && window.console._commandLineAPI) || {}) {\ngetEventListeners(document.body.children[0])\n}>,isEvalOnCallFrame=0x324080c1 <false>,injectCommandLineAPI=0x324080b1 <true>) { // stack-allocated locals var result = 0x32408091 <undefined> // expression stack (top to bottom) [07] : 0x427d804d <String[122]\: with ((window && window.console && window.console._commandLineAPI) || {}) {\ngetEventListeners(document.body.children[0])\n}> [06] : 0x3271b25d <JS Global Object>#3# --------- s o u r c e c o d e --------- function (evalFunction, object, objectGroup, expression, isEvalOnCallFrame, injectCommandLineAPI)? {? // Only install command line api object for the time of evaluation.? // Surround the expression in with statements to inject our command line API so that? // the window object propert... ----------------------------------------- } [10]: _evaluateAndWrap [0x32408091 <undefined>:409] (this=0x42708129 <JS Object>#4#,evalFunction=0x32714fe5 <JS Function eval>#5#,object=0x3271b25d <JS Global Object>#3#,expression=0x427d653d <String[44]: getEventListeners(document.body.children[0])>,objectGroup=0x35812271 <String[7]: console>,isEvalOnCallFrame=0x324080c1 <false>,injectCommandLineAPI=0x324080b1 <true>,returnByValue=0x324080c1 <false>) { // expression stack (top to bottom) [13] : 0x324080b1 <true> [12] : 0x324080c1 <false> [11] : 0x427d804d <String[122]\: with ((window && window.console && window.console._commandLineAPI) || {}) {\ngetEventListeners(document.body.children[0])\n}> [10] : 0x35812271 <String[7]: console> [09] : 0x3271b25d <JS Global Object>#3# [08] : 0x32714fe5 <JS Function eval>#5# [07] : 0x42708129 <JS Object>#4# [06] : 0x42708129 <JS Object>#4# [05] : 0x427d6551 <an Object>#13# --------- s o u r c e c o d e --------- function (evalFunction, object, expression, objectGroup, isEvalOnCallFrame, injectCommandLineAPI, returnByValue)? {? try {? return { wasThrown: false,? result: this._wrapObject(this._evaluateOn(evalFunction, object, objectGroup, expression, isEvalOnCallFrame, injectCo... ----------------------------------------- } [11]: evaluate [0x32408091 <undefined>:345] (this=0x42708129 <JS Object>#4#,expression=0x427d653d <String[44]: getEventListeners(document.body.children[0])>,objectGroup=0x35812271 <String[7]: console>,injectCommandLineAPI=0x324080b1 <true>,returnByValue=0x324080c1 <false>) { // expression stack (top to bottom) [07] : 0x324080c1 <false> [06] : 0x324080b1 <true> [05] : 0x324080c1 <false> [04] : 0x35812271 <String[7]: console> [03] : 0x427d653d <String[44]: getEventListeners(document.body.children[0])> [02] : 0x3271b25d <JS Global Object>#3# [01] : 0x32714fe5 <JS Function eval>#5# [00] : 0x42708129 <JS Object>#4# --------- s o u r c e c o d e --------- function (expression, objectGroup, injectCommandLineAPI, returnByValue)? {? return this._evaluateAndWrap(inspectedWindow.eval, inspectedWindow, expression, objectGroup, false, injectCommandLineAPI, returnByValue);? } ----------------------------------------- } ==== Key ============================================ #0# 0x327a649d: 0x327a649d <a CommandLineAPIImpl> #1# 0x427c5889: 0x427c5889 <an HTMLDivElement> #2# 0x427d6565: 0x427d6565 <a CommandLineAPI> $$: 0x427d6695 <JS Function>#14# clear: 0x427d6ea9 <JS Function>#15# getEventListeners: 0x427d6f51 <JS Function>#11# $x: 0x427d673d <JS Function>#16# $: 0x427d65ed <JS Function>#17# copy: 0x427d6e01 <JS Function>#18# inspect: 0x427d6d39 <JS Function>#19# unmonitorEvents: 0x427d6c91 <JS Function>#20# keys: 0x427d6935 <JS Function>#21# dir: 0x427d67e5 <JS Function>#22# profile: 0x427d6a85 <JS Function>#23# dirxml: 0x427d688d <JS Function>#24# profileEnd: 0x427d6b2d <JS Function>#25# $_: 0x427c5889 <an HTMLDivElement>#1# values: 0x427d69dd <JS Function>#26# monitorEvents: 0x427d6be9 <JS Function>#27# #3# 0x3271b25d: 0x3271b25d <JS Global Object> #4# 0x42708129: 0x42708129 <JS Object> _objectGroups: 0x327a6485 <an Object>#28# _modules: 0x327a6491 <an Object>#29# _idToWrappedObject: 0x327a646d <an Object>#30# _commandLineAPIImpl: 0x327a649d <a CommandLineAPIImpl>#0# _lastBoundObjectId: 20 _idToObjectGroupName: 0x327a6479 <an Object>#31# _lastResult: 0x427c5889 <an HTMLDivElement>#1# #5# 0x32714fe5: 0x32714fe5 <JS Function eval> #6# 0x327922f9: 0x327922f9 <JS Function getEventListeners> #7# 0x427082ad: 0x427082ad <an InjectedScriptHost> #8# 0x427d84bd: 0x427d84bd <an Arguments> length: 1 #9# 0x427d84d9: 0x427d84d9 <JS Array[2]> 0: 0x327b26f9 <JS Function>#10# 1: 0x327a649d <a CommandLineAPIImpl>#0# #10# 0x327b26f9: 0x327b26f9 <JS Function> #11# 0x427d6f51: 0x427d6f51 <JS Function> length: 1 #12# 0x427d8471: 0x427d8471 <JS Function> #13# 0x427d6551: 0x427d6551 <an Object> wasThrown: 0x324080c1 <false> result: 0x32408091 <undefined> #14# 0x427d6695: 0x427d6695 <JS Function> length: 0 #15# 0x427d6ea9: 0x427d6ea9 <JS Function> length: 0 #16# 0x427d673d: 0x427d673d <JS Function> length: 2 #17# 0x427d65ed: 0x427d65ed <JS Function> length: 0 #18# 0x427d6e01: 0x427d6e01 <JS Function> length: 1 #19# 0x427d6d39: 0x427d6d39 <JS Function> length: 1 #20# 0x427d6c91: 0x427d6c91 <JS Function> length: 2 #21# 0x427d6935: 0x427d6935 <JS Function> length: 1 #22# 0x427d67e5: 0x427d67e5 <JS Function> length: 0 #23# 0x427d6a85: 0x427d6a85 <JS Function> length: 0 #24# 0x427d688d: 0x427d688d <JS Function> length: 0 #25# 0x427d6b2d: 0x427d6b2d <JS Function> length: 0 #26# 0x427d69dd: 0x427d69dd <JS Function> length: 1 #27# 0x427d6be9: 0x427d6be9 <JS Function> length: 2 #28# 0x327a6485: 0x327a6485 <an Object> #29# 0x327a6491: 0x327a6491 <an Object> #30# 0x327a646d: 0x327a646d <an Object> #31# 0x327a6479: 0x327a6479 <an Object> =====================

Created attachment 158238 [details] Layout test

Created attachment 158372 [details] Patch

Comment on attachment 158372 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=158372&action=review > Source/WebCore/bindings/v8/custom/V8InjectedScriptHostCustom.cpp:215 > + if (block.HasCaught() || function.IsEmpty()) I'd return upon HasCaught and assert non empty function.

Committed r125654: <http://trac.webkit.org/changeset/125654>